lib/isccfg/aclconf.c

	aclconf.c revision 3d78993c6d415f600f57520d1566627b5535d715
9e6de65c57eddc3790badaad3b9481aaaed18e03Brian Wellington/*
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence * Copyright (C) 1999-2002  Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews *
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * purpose with or without fee is hereby granted, provided that the above
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence * copyright notice and this permission notice appear in all copies.
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence *
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d09197467bbb156dccf0cbe72bb5c63480d5cfdcDavid Lawrence * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d09197467bbb156dccf0cbe72bb5c63480d5cfdcDavid Lawrence * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d09197467bbb156dccf0cbe72bb5c63480d5cfdcDavid Lawrence * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
64ba6e4cc3a0ccf8c8c6349fa75b937ca9bad9a6Michael Graff * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
64ba6e4cc3a0ccf8c8c6349fa75b937ca9bad9a6Michael Graff * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7829fad4093f2c1985b1efb7cea00287ff015d2bckb * PERFORMANCE OF THIS SOFTWARE.
62ac31d7fd09b0bf2231e5f55ed85aed39bc2df6Evan Hunt */
62ac31d7fd09b0bf2231e5f55ed85aed39bc2df6Evan Hunt
62ac31d7fd09b0bf2231e5f55ed85aed39bc2df6Evan Hunt/* $Id: aclconf.c,v 1.16 2007/12/18 01:53:26 marka Exp $ */
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
e59937c7283216ca22ce6e7937b06eab6d97f4acEvan Hunt#include <config.h>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt#include <isc/mem.h>
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence#include <isc/string.h>     /* Required for HP/UX (and others?) */
a03848252fa85734ca75beae3d0b01bb503c0a8bMark Andrews#include <isc/util.h>
dd57718608494835363244429432599aa15124a3Andreas Gustafsson
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉#include <isccfg/namedconf.h>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb#include <isccfg/aclconf.h>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
092b4e5359c5982a438e36ced3dbefc313f7fbfcDavid Lawrence#include <dns/acl.h>
82a1986c04057804edf670bf5d59f716785af789Bob Halley#include <dns/iptable.h>
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence#include <dns/fixedname.h>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein#include <dns/log.h>
891a1bead8d02d29eb7b4993d7c0975047b0963dDavid Lawrence
891a1bead8d02d29eb7b4993d7c0975047b0963dDavid Lawrence#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
891a1bead8d02d29eb7b4993d7c0975047b0963dDavid Lawrence
891a1bead8d02d29eb7b4993d7c0975047b0963dDavid Lawrencevoid
891a1bead8d02d29eb7b4993d7c0975047b0963dDavid Lawrencecfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
891a1bead8d02d29eb7b4993d7c0975047b0963dDavid Lawrence    ISC_LIST_INIT(ctx->named_acl_cache);
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff}
73d62a89f1493865c33c689b3ee3de91c74ad58eDavid Lawrence
73d62a89f1493865c33c689b3ee3de91c74ad58eDavid Lawrencevoid
7829fad4093f2c1985b1efb7cea00287ff015d2bckbcfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx) {
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dns_acl_t *dacl, *next;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         dacl != NULL;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         dacl = next)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    {
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        next = ISC_LIST_NEXT(dacl, nextincache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        dns_acl_detach(&dacl);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    }
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence}
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff/*
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence * Find the definition of the named acl whose name is "name".
c80dde0676a7f36f65e0ad8d646bf505705fe64bDavid Lawrence */
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencestatic isc_result_t
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrenceget_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence    isc_result_t result;
c80dde0676a7f36f65e0ad8d646bf505705fe64bDavid Lawrence    const cfg_obj_t *acls = NULL;
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff    const cfg_listelt_t *elt;
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff
33950f0a0262f4d49528c4adcf8be42807fa2576David Lawrence    result = cfg_map_get(cctx, "acl", &acls);
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff    if (result != ISC_R_SUCCESS)
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence        return (result);
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence    for (elt = cfg_list_first(acls);
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence         elt != NULL;
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff         elt = cfg_list_next(elt)) {
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence        const cfg_obj_t *acl = cfg_listelt_value(elt);
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence        const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence        if (strcasecmp(aclname, name) == 0) {
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            if (ret != NULL) {
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                *ret = cfg_tuple_get(acl, "value");
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            return (ISC_R_SUCCESS);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman        }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman    }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman    return (ISC_R_NOTFOUND);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman}
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman
0f5962ac3e4ef336faff68f1cb838505e64665e5David Lawrencestatic isc_result_t
0f5962ac3e4ef336faff68f1cb838505e64665e5David Lawrenceconvert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
0f5962ac3e4ef336faff68f1cb838505e64665e5David Lawrence          isc_log_t *lctx, cfg_aclconfctx_t *ctx,
0f5962ac3e4ef336faff68f1cb838505e64665e5David Lawrence          isc_mem_t *mctx, unsigned int nest_level,
0f5962ac3e4ef336faff68f1cb838505e64665e5David Lawrence          dns_acl_t **target)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb{
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt    isc_result_t result;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    const cfg_obj_t *cacl = NULL;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dns_acl_t *dacl;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dns_acl_t loop;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    const char *aclname = cfg_obj_asstring(nameobj);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    /* Look for an already-converted version. */
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         dacl != NULL;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         dacl = ISC_LIST_NEXT(dacl, nextincache))
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    {
b4a865ee130c8a1623a7060c27efec0c1f238403Francis Dupont        if (strcasecmp(aclname, dacl->name) == 0) {
7829fad4093f2c1985b1efb7cea00287ff015d2bckb            if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                        "acl loop detected: %s", aclname);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                return (ISC_R_FAILURE);
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User            }
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt            dns_acl_attach(dacl, target);
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt            return (ISC_R_SUCCESS);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        }
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    }
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    /* Not yet converted.  Convert now. */
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    result = get_acl_def(cctx, aclname, &cacl);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    if (result != ISC_R_SUCCESS) {
e59937c7283216ca22ce6e7937b06eab6d97f4acEvan Hunt        cfg_obj_log(nameobj, lctx, ISC_LOG_WARNING,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                "undefined ACL '%s'", aclname);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        return (result);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    }
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    /*
7829fad4093f2c1985b1efb7cea00287ff015d2bckb     * Add a loop detection element.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb     */
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    memset(&loop, 0, sizeof(loop));
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    ISC_LINK_INIT(&loop, nextincache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    DE_CONST(aclname, loop.name);
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User    loop.magic = LOOP_MAGIC;
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User    ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx,
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User                    nest_level, &dacl);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    loop.magic = 0;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    loop.name = NULL;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    if (result != ISC_R_SUCCESS)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        return (result);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dacl->name = isc_mem_strdup(dacl->mctx, aclname);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    if (dacl->name == NULL)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        return (ISC_R_NOMEMORY);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dns_acl_attach(dacl, target);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    return (ISC_R_SUCCESS);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb}
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Huntstatic isc_result_t
e59937c7283216ca22ce6e7937b06eab6d97f4acEvan Huntconvert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        dns_name_t *dnsname)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb{
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User    isc_result_t result;
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User    isc_buffer_t buf;
e59937c7283216ca22ce6e7937b06eab6d97f4acEvan Hunt    dns_fixedname_t fixname;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    unsigned int keylen;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    const char *txtname = cfg_obj_asstring(keyobj);
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User
31707708c585c53b61ca1edb2e224e6bb1b985a5Evan Hunt    keylen = strlen(txtname);
e59937c7283216ca22ce6e7937b06eab6d97f4acEvan Hunt    isc_buffer_init(&buf, txtname, keylen);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    isc_buffer_add(&buf, keylen);
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User    dns_fixedname_init(&fixname);
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User    result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                   dns_rootname, ISC_FALSE, NULL);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    if (result != ISC_R_SUCCESS) {
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                "key name '%s' is not a valid domain name",
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                txtname);
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User        return (result);
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User    }
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
7829fad4093f2c1985b1efb7cea00287ff015d2bckb}
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
7829fad4093f2c1985b1efb7cea00287ff015d2bckbisc_result_t
7829fad4093f2c1985b1efb7cea00287ff015d2bckbcfg_acl_fromconfig(const cfg_obj_t *caml,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb           const cfg_obj_t *cctx,
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User           isc_log_t *lctx,
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User           cfg_aclconfctx_t *ctx,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb           isc_mem_t *mctx,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb           unsigned int nest_level,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb           dns_acl_t **target)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb{
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    isc_result_t result;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dns_acl_t *dacl = NULL, *inneracl = NULL;
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User    dns_aclelement_t *de;
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User    const cfg_listelt_t *elt;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    dns_iptable_t *iptab;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    REQUIRE(target != NULL);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    REQUIRE(*target == NULL || DNS_ACL_VALID(*target));
7829fad4093f2c1985b1efb7cea00287ff015d2bckb
7829fad4093f2c1985b1efb7cea00287ff015d2bckb    if (*target != NULL) {
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User        /*
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User         * If target already points to an ACL, then we're being
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         * called recursively to configure a nested ACL.  The
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         * nested ACL's contents should just be absorbed into its
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         * parent ACL.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         */
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        dns_acl_attach(*target, &dacl);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb        dns_acl_detach(target);
620620df3a74a5a57dc25221aae5033568703eb2Tinderbox User    } else {
8e6b386ab7e2d1bd8efedecbb8f4efb6b572a866Tinderbox User        /*
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         * Need to allocate a new ACL structure.  Count the items
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         * in the ACL definition and allocate space for that many
7829fad4093f2c1985b1efb7cea00287ff015d2bckb         * elements (even though some or all of them may end up in
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein         * the iptable instead of the element array).
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence         */
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence        isc_boolean_t recurse = ISC_TF(nest_level == 0);
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff        result = dns_acl_create(mctx,
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff                    cfg_list_length(caml, recurse),
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff                    &dacl);
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff        if (result != ISC_R_SUCCESS)
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            return (result);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman    }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff    de = dacl->elements;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman    for (elt = cfg_list_first(caml);
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff         elt != NULL;
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff         elt = cfg_list_next(elt))
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff    {
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff        const cfg_obj_t *ce = cfg_listelt_value(elt);
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews        isc_boolean_t   neg;
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff        if (cfg_obj_istuple(ce)) {
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff            /* This must be a negated element. */
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff            ce = cfg_tuple_get(ce, "value");
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence            neg = ISC_TRUE;
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        } else
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence            neg = ISC_FALSE;
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence        /*
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff         * If nest_level is nonzero, then every element is
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff         * to be stored as a separate, nested ACL rather than
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff         * merged into the main iptable.
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence         */
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        iptab = dacl->iptable;
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews        if (nest_level != 0) {
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews            result = dns_acl_create(mctx,
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews                        cfg_list_length(ce, ISC_FALSE),
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews                        &de->nestedacl);
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews            if (result != ISC_R_SUCCESS)
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews                goto cleanup;
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews            iptab = de->nestedacl->iptable;
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews        }
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews        if (cfg_obj_isnetprefix(ce)) {
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff            /* Network prefix */
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews            isc_netaddr_t   addr;
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews            unsigned int    bitlen;
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff            cfg_obj_asnetprefix(ce, &addr, &bitlen);
7704a47aec081144bdb7a0218d5e2dd5296b6b08Mark Andrews
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence                        /*
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein                         * If nesting ACLs (nest_level != 0), we negate
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence                         * the nestedacl element, not the iptable entry
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence                         */
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff            result = dns_iptable_addprefix(iptab, &addr, bitlen,
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff                              ISC_TF(nest_level != 0 || !neg));
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff            if (result != ISC_R_SUCCESS)
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff                goto cleanup;
0f5962ac3e4ef336faff68f1cb838505e64665e5David Lawrence
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            if (nest_level != 0) {
33950f0a0262f4d49528c4adcf8be42807fa2576David Lawrence                de->type = dns_aclelementtype_nestedacl;
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence                de->negative = neg;
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence            } else
47b7dfffe5d806c6a5e99ef17f07bcde812c2132Francis Dupont                continue;
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence        } else if (cfg_obj_islist(ce)) {
33950f0a0262f4d49528c4adcf8be42807fa2576David Lawrence            /*
f036af2c718147408d738081cdb0a564b981b4cdDavid Lawrence             * If we're nesting ACLs, put the nested
b16d99bac1d100735224ab3eaa84632537ff21b5Mark Andrews             * ACL onto the elements list; otherwise
b16d99bac1d100735224ab3eaa84632537ff21b5Mark Andrews             * merge it into *this* ACL.
b16d99bac1d100735224ab3eaa84632537ff21b5Mark Andrews             */
b16d99bac1d100735224ab3eaa84632537ff21b5Mark Andrews            if (nest_level == 0) {
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley                if (inneracl != NULL)
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein                    dns_acl_detach(&inneracl);
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley                result = cfg_acl_fromconfig(ce, cctx, lctx,
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley                                ctx, mctx, 0,
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley                                &inneracl);
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley                if (result != ISC_R_SUCCESS)
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                    goto cleanup;
127a4a90b0d03ebf55ad44d25f75b30c3a6fb728Evan Hunt
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                dns_acl_merge(dacl, inneracl,
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                          ISC_TF(!neg));
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                dns_acl_detach(&inneracl);
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                continue;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb            } else {
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                de->type = dns_aclelementtype_nestedacl;
7829fad4093f2c1985b1efb7cea00287ff015d2bckb                de->negative = neg;
1630fce031f7a3e33f0579e477a3e17d1993e1f9Bob Halley                result = cfg_acl_fromconfig(ce, cctx, lctx,
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                                ctx, mctx,
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                                nest_level - 1,
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                                &de->nestedacl);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                if (result != ISC_R_SUCCESS)
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                    goto cleanup;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                /* Fall through */
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            }
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        } else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            /* Key name */
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            de->type = dns_aclelementtype_keyname;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            de->negative = neg;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            dns_name_init(&de->keyname, NULL);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            result = convert_keyname(ce, lctx, mctx,
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                         &de->keyname);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman            if (result != ISC_R_SUCCESS)
7554feaef6057f5ea2926076900ac7634b911456Mark Andrews                goto cleanup;
7554feaef6057f5ea2926076900ac7634b911456Mark Andrews        } else if (cfg_obj_isstring(ce)) {
7554feaef6057f5ea2926076900ac7634b911456Mark Andrews            /* ACL name */
7554feaef6057f5ea2926076900ac7634b911456Mark Andrews            const char *name = cfg_obj_asstring(ce);
7554feaef6057f5ea2926076900ac7634b911456Mark Andrews            if (strcasecmp(name, "any") == 0) {
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                /* iptable entry with zero bit length */
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                result = dns_iptable_addprefix(iptab, NULL, 0,
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                              ISC_TF(nest_level != 0 || !neg));
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                                if (result != ISC_R_SUCCESS)
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                                        goto cleanup;
bd1190c84b08e61a12789c54f083318c36449e5eDavid Lawrence
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence                                if (nest_level != 0) {
73d62a89f1493865c33c689b3ee3de91c74ad58eDavid Lawrence                                        de->type = dns_aclelementtype_nestedacl;
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater                                        de->negative = neg;
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                                } else
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater                                        continue;
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater            } else if (strcasecmp(name, "none") == 0) {
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater                /* negated "any" */
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                result = dns_iptable_addprefix(iptab, NULL, 0,
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater                              ISC_TF(nest_level != 0 || neg));
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence                                if (result != ISC_R_SUCCESS)
401fc772b1bf058a981e3c474fa6502f6ee0e2bfDavid Lawrence                                        goto cleanup;
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt                                if (nest_level != 0) {
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                                        de->type = dns_aclelementtype_nestedacl;
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt                                        de->negative = !neg;
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt                                } else
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                                        continue;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews            } else if (strcasecmp(name, "localhost") == 0) {
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                de->type = dns_aclelementtype_localhost;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                de->negative = neg;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews            } else if (strcasecmp(name, "localnets") == 0) {
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                de->type = dns_aclelementtype_localnets;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                de->negative = neg;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews            } else {
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                int new_nest_level;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                if (inneracl != NULL)
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                    dns_acl_detach(&inneracl);
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                if (nest_level != 0)
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                    new_nest_level = nest_level - 1;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                else
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                    new_nest_level = 0;
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews                result = convert_named_acl(ce, cctx, lctx, ctx,
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt                               mctx, new_nest_level,
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                               &inneracl);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman                if (result != ISC_R_SUCCESS)
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    goto cleanup;
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman
f21d2ee372125a7d0648387581a6712e05feeb52Evan Hunt                if (nest_level != 0) {
f21d2ee372125a7d0648387581a6712e05feeb52Evan Hunt                    de->type = dns_aclelementtype_nestedacl;
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    de->negative = neg;
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    if(de->nestedacl != NULL)
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                        dns_acl_detach(&de->nestedacl);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    dns_acl_attach(inneracl,
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                               &de->nestedacl);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    dns_acl_detach(&inneracl);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    /* Fall through */
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                } else {
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    dns_acl_merge(dacl, inneracl,
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                              ISC_TF(!neg));
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    dns_acl_detach(&inneracl);
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    continue;
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman        } else {
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    "address match list contains "
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman                    "unsupported element type");
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            result = ISC_R_FAILURE;
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            goto cleanup;
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman        }
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman        /*
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman         * This should only be reached for localhost, localnets
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman         * and keyname elements, and nested ACLs if nest_level is
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman         * nonzero (i.e., in sortlists).
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman         */
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman        if (de->nestedacl != NULL &&
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            de->type != dns_aclelementtype_nestedacl)
5d79b60fc5e4dad4f04da39570517d20a2425f8bMukund Sivaraman            dns_acl_detach(&de->nestedacl);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        dacl->node_count++;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        de->node_num = dacl->node_count;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        de++;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        dacl->length++;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        INSIST(dacl->length <= dacl->alloc);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman    }
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman
f389bc2c9e9e434380e10221778b7b548612a67fDavid Lawrence    dns_acl_attach(dacl, target);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman    result = ISC_R_SUCCESS;
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman cleanup:
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence    if (inneracl != NULL)
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman        dns_acl_detach(&inneracl);
ce376a81fa674d240197628ceb6113a4fa5a1ab3Mukund Sivaraman    dns_acl_detach(&dacl);
b65f2ab14abb4b6ef906d7d02064fba158f07b1eDavid Lawrence    return (result);
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater}
f731b5d665e484c9b9634531c791cee9d87ab7a0Automatic Updater